Linux Kernel up to 6.13.4/6.14-rc3 zswap_store_page denial of service

Summaryinfo

A vulnerability classified as critical was found in Linux Kernel up to 6.13.4/6.14-rc3. Affected by this vulnerability is the function zswap_store_page. Executing a manipulation can lead to denial of service. This vulnerability is registered as CVE-2025-21860. No exploit is available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability classified as critical was found in Linux Kernel up to 6.13.4/6.14-rc3. This vulnerability affects the function zswap_store_page. The manipulation with an unknown input leads to a denial of service vulnerability. The CWE definition for the vulnerability is CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. As an impact it is known to affect availability. CVE summarizes:

In the Linux kernel, the following vulnerability has been resolved: mm/zswap: fix inconsistency when zswap_store_page() fails Commit b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()") skips charging any zswap entries when it failed to zswap the entire folio. However, when some base pages are zswapped but it failed to zswap the entire folio, the zswap operation is rolled back. When freeing zswap entries for those pages, zswap_entry_free() uncharges the zswap entries that were not previously charged, causing zswap charging to become inconsistent. This inconsistency triggers two warnings with following steps: # On a machine with 64GiB of RAM and 36GiB of zswap $ stress-ng --bigheap 2 # wait until the OOM-killer kills stress-ng $ sudo reboot The two warnings are: in mm/memcontrol.c:163, function obj_cgroup_release(): WARN_ON_ONCE(nr_bytes & (PAGE_SIZE - 1)); in mm/page_counter.c:60, function page_counter_cancel(): if (WARN_ONCE(new < 0, "page_counter underflow: %ld nr_pages=%lu\n", new, nr_pages)) zswap_stored_pages also becomes inconsistent in the same way. As suggested by Kanchana, increment zswap_stored_pages and charge zswap entries within zswap_store_page() when it succeeds. This way, zswap_entry_free() will decrement the counter and uncharge the entries when it failed to zswap the entire folio. While this could potentially be optimized by batching objcg charging and incrementing the counter, let's focus on fixing the bug this time and leave the optimization for later after some evaluation. After resolving the inconsistency, the warnings disappear. [[email protected]: refactor zswap_store_page()] Link: https://lkml.kernel.org/r/[email protected]

The advisory is available at git.kernel.org. This vulnerability was named CVE-2025-21860 since 12/29/2024. Technical details are known, but there is no available exploit.

Upgrading to version 6.13.5 or 6.14-rc4 eliminates this vulnerability. Applying the patch a3652f5552b20903315612da487a7be2b95394d5/63895d20d63b446f5049a963983489319c2ea3e2 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at CERT Bund (WID-SEC-2025-0545). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Affected

• Google Container-Optimized OS
• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• Siemens SIMATIC S7
• RESF Rocky Linux
• SolarWinds Security Event Manager
• Open Source Linux Kernel

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.13.0
• 6.13.1
• 6.13.2
• 6.13.3
• 6.13.4
• 6.14-rc1
• 6.14-rc2
• 6.14-rc3

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion